US11336661B2ActiveUtilityA1

Detecting remote application profiling

82
Assignee: BLACKBERRY LTDPriority: Oct 18, 2017Filed: Aug 23, 2018Granted: May 17, 2022
Est. expiryOct 18, 2037(~11.3 yrs left)· nominal 20-yr term from priority
H04L 63/1433H04L 63/1425H04L 63/1416H04L 63/1475
82
PatentIndex Score
4
Cited by
14
References
14
Claims

Abstract

Systems, methods, and software can be used to detect remote application profiling. In some aspects, one computer-implemented method includes receiving, over a network, a request from a network client directed to a particular application executed by an application server; determining whether the received request deviates from a communications profile associated with the particular application; in response to determining that the received request deviates from the communications profile, identifying the network client as an attacker; and in response to identifying the network client as an attacker, performing a defensive response with respect to the network client.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method, comprising:
 receiving, over a network, a request from a network client directed to a particular application executed by an application server; 
 determining that the received request includes an action that is different from application programing interface (API) actions defined in a communications profile associated with the particular application, wherein the communications profile associated with the particular application defines one or more API actions that are accepted by the particular application, and wherein the request is a Hypertext Transfer Protocol (HTTP) request, the communications profile associated with the particular application defines a particular value associated with the particular application, and determining that the received request includes the action that is different from API actions defined in the communications profile comprises determination that an HTTP user agent header included in the received request has a value that is different from the particular value defined in the communications profile; 
 in response to determining that the received request includes the action that is different from API actions defined in the communications profile, identifying the network client as an attacker; and 
 in response to identifying the network client as the attacker, performing a defensive response with respect to the network client that sends the request, wherein performing the defensive response includes blocking requests originating from an Internet Protocol (IP) address associated with the network client for a configured period of time. 
 
     
     
       2. The method of  claim 1 , further comprising:
 in response to determining that the received request does not deviate from the communications profile, providing the received request to the particular application. 
 
     
     
       3. The method of  claim 1 , wherein determining whether the received request deviates from the communications profile includes determining whether an HTTP verb included in the request deviates from an expected user agent header associated with the particular application. 
     
     
       4. The method of  claim 1 , wherein determining whether the received request deviates from the communications profile includes determining whether the received request deviates from an expected request format associated with the particular application. 
     
     
       5. The method of  claim 1 , wherein performing the defensive response with respect to the network client includes generating an alert including information about the network client. 
     
     
       6. The method of  claim 1 , wherein performing the defensive response with respect to the network client includes logging a security issue including information about the network client. 
     
     
       7. A computing device, comprising:
 at least one hardware processor; 
 a non-transitory computer-readable storage medium coupled to the at least one hardware processor and storing programming instructions for execution by the at least one hardware processor, wherein the programming instructions, when executed, cause the at least one hardware processor to perform operations comprising:
 receiving, over a network, a request from a network client directed to a particular application executed by an application server; 
 determining that the received request includes an action that is different from application programing interface (API) actions defined in a communications profile associated with the particular application, wherein the communications profile associated with the particular application defines one or more API actions that are accepted by the particular application, and wherein the request is a Hypertext Transfer Protocol (HTTP) request, the communications profile associated with the particular application defines a particular value associated with the particular application, and determining that the received request includes the action that is different from API actions defined in the communications profile comprises determination that an HTTP user agent header included in the received request has a value that is different from the particular value defined in the communications profile; 
 in response to determining that the received request includes the action that is different from API actions defined in the communications profile, identifying the network client as an attacker; and 
 in response to identifying the network client as the attacker, performing a defensive response with respect to the network client that sends the request, wherein performing the defensive response includes blocking requests originating from an Internet Protocol (IP) address associated with the network client for a configured period of time. 
 
 
     
     
       8. The computing device of  claim 7 , the operations further comprising:
 in response to determining that the received request does not deviate from the communications profile, providing the received request to the particular application. 
 
     
     
       9. The computing device of  claim 7 , wherein determining whether the received request deviates from the communications profile includes determining whether an HTTP verb included in the request deviates from an expected user agent header associated with the particular application. 
     
     
       10. The computing device of  claim 7 , wherein determining whether the received request deviates from the communications profile includes determining whether the received request deviates from an expected request format associated with the particular application. 
     
     
       11. The computing device of  claim 7 , wherein performing the defensive response with respect to the network client includes generating an alert including information about the network client. 
     
     
       12. The computing device of  claim 7 , wherein performing the defensive response with respect to the network client includes logging a security issue including information about the network client. 
     
     
       13. One or more non-transitory computer-readable media containing instructions which, when executed, cause a computing device to perform operations comprising:
 receiving, over a network, a request from a network client directed to a particular application executed by an application server; 
 determining that the received request includes an action that is different from application programing interface (API) actions defined in a communications profile associated with the particular application, wherein the communications profile associated with the particular application defines one or more API actions that are accepted by the particular application, and wherein the request is a Hypertext Transfer Protocol (HTTP) request, the communications profile associated with the particular application defines a particular value associated with the particular application, and determining that the received request includes the action that is different from API actions defined in the communications profile comprises determination that an HTTP user agent header included in the received request has a value that is different from the particular value defined in the communications profile; 
 in response to determining that the received request includes the action that is different from API actions defined in the communications profile, identifying the network client as an attacker; and 
 in response to identifying the network client as the attacker, performing a defensive response with respect to the network client that sends the request, wherein performing the defensive response includes blocking requests originating from an Internet Protocol (IP) address associated with the network client for a configured period of time. 
 
     
     
       14. The one or more non-transitory computer-readable media of  claim 13 , the operations further comprising:
 in response to determining that the received request does not deviate from the communications profile, providing the received request to the particular application.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.